Is anyone monitoring for the start and end of SCEP scans? I’m trying to convince our Windows Engineering team and Security that the Full Weekly Scans aren’t effective on large disks, but I need to be able to show how long they are taking. We’ve observed that some will go on over 1 week, resulting in the subsequent failure of the next scheduled weekly Full scan. I’m also working on the theory that while SCEP is occupied wasting its time on a Full scan, it’s not updating its definition files because I work the compliance issues on systems with DEF’s over 5 days and every single one of them is running a Full scan when I log in. The GUI isn’t helpful because it shows the session time as the start of the scan.

Sorry for not updating this earlier, but what I've decided to go with was much simpler. I found the Event ID 1000 (Source: Microsoft Antimalware) in the System Event Log's to indicate the start, 1001 to indicate the end. I built a simple Windows Event monitor to show a Warn when the scan starts, and then go Green when it stops. Then I can just check the health explorer and see the amount of time it took. When I have… Continue reading

Sorry for not updating this earlier, but what I've decided to go with was much simpler. I found the Event ID 1000 (Source: Microsoft Antimalware) in the System Event Log's to indicate the start, 1001 to indicate the end. I built a simple Windows Event monitor to show a Warn when the scan starts, and then go Green when it stops. Then I can just check the health explorer and see the amount of time it took.
When I have more time, perhaps in a different lifetime, I plan on enhancing this to allow for a critical for event ID 1002, which indicates the scan was cancelled.
Thanks for the log info, I have the NICE PM, so I may spend some time looking into using it more.